Call for testing: OpenSSH 10.4

Loganaden Velvindron loganaden at gmail.com
Tue Jun 30 23:19:22 AEST 2026


Compiles on ubuntu 24 lts:

Minor bugfix for the new mldsaed25529 hybrid:
 add experimental support for a composite post-quantum
   signature scheme that combines ML-DSA 44 and Ed25519 as specified
   in draft-miller-sshm-mldsa44-ed25519-composite-sigs.

https://github.com/openssh/openssh-portable/pull/695

I will put another github PR soon.

On Tue, 30 Jun 2026 at 07:05, Damien Miller <djm at mindrot.org> wrote:
>
> Hi,
>
> OpenSSH 10.4p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev at mindrot.org. Security bugs should be reported
> directly to openssh at openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Potentially-incompatible changes
> --------------------------------
>
>  * sshd(8): configuration dump mode ("sshd -G") now writes directives
>    in mixed case (e.g. "PubkeyAuthentication") whereas previously it
>    emitted only lower-case names.
>
>  * sshd(8): on Linux systems with the seccomp sandbox enabled,
>    failures to enable SECCOMP or NO_NEW_PRIVS are now fatal.
>    Previously sshd(8) would log the error but continue operation,
>    to support systems that lacked these features. Now systems that
>    lack these should instead disable the sandbox at configure time.
>
>  * ssh(1), sshd(8): make the transport protocol stricter by
>    disconnecting if the peer sends non-KEX messages during a post-
>    authentication key re-exchange. Previously a malicious peer could
>    continue sending non-key exchange messages without penalty. These
>    would be buffered, causing memory to be wasted up until the
>    connection terminated or the server/client hit a memory limit.
>    Implementations that do not restrict messages sent during key
>    exchange as per RFC4253 section 7.1 may be disconnected.
>    Reported by Marko Jevtic.
>
> New features
> ------------
>
>  * All: add experimental support for a composite post-quantum
>    signature scheme that combines ML-DSA 44 and Ed25519 as specified
>    in draft-miller-sshm-mldsa44-ed25519-composite-sigs.
>
>    This scheme is not enabled by default. To use it, you'll need
>    to add it to HostKeyAlgorithms, PubkeyAcceptedAlgorithms, etc.
>    Keys may be generated using "ssh-keygen -t mldsa44-ed25519".
>
>  * ssh(1), sshd(8): replace the wildcard pattern matcher with an
>    implementation based on an NFA. This avoids exponential worst-case
>    behaviour for the old implementation.
>
> Bugfixes
> --------
>
>  * ssh-agent(1): fix incorrect reply to "query" SSH_AGENTC_EXTENSION
>    requests. bz3967
>
>  * ssh(1), sshd(8): fix several bugs that incorrectly
>    classified bulk traffic as interactive. bz3972, bz3958
>
>  * ssh-keygen(1), ssh-add(1): skip unsupported key types when
>    downloading resident keys from a FIDO token. Previously, downloads
>    would abort when one was encountered. GHPR657
>
>  * ssh(1): fix a potential use-after-free on an error path if
>    cipher_init() fails.
>
>  * sshd(8): perform stricter encoding and validation of transport
>    state passed between sshd privilege separation subprocesses. This
>    somewhat further hardens the server against attacks on sshd-auth
>    or sshd-session subprocesses.
>
>  * ssh-agent(1): avoid possible runtime denial of service by
>    enforcing some limits on the length of usernames in key use
>    constraints.
>
>  * sftp(1): fix two separate one-byte out-of-bounds reads, in
>    SSH2_FXP_REALPATH and batch command processing.
>
>  * sftp-server(8): disallow use of the copy-data extension to read
>    and write to the same inode simultaneously.
>
>  * ssh(1), sshd(8): avoid strlen(NULL) crash if an X11 channel was
>    created before the x11-req SSH_MSG_CHANNEL_REQUEST was sent.
>    GHPR679
>
>  * sftp(1), scp(1): avoid a situation where sftp_download() could get
>    stuck in a loop if a broken server repeatedly returned zero length
>    while reading a file.
>
>  * ssh(1): avoid leaking DNS0x20 case-randomised names into names
>    canonicalised using CanonicalizePermittedCNAMEs. bz3966
>
>  * sftp-server(8): avoid truncation of pathnames passed to lstat()
>    during SSH_FXP_REALPATH handling on systems where PATH_MAX is not
>    the actual max. GHPR688
>
>  * ssh(1), sshd(8): correct arming of poll(2) event masks for some
>    socket-type channels. GHPR660
>
>  * sshd(8): major refactor of sshd_config parsing and management
>    code, to allow for more exact serialisation/deserialisation across
>    privilege separation boundaries.
>
>  * ssh-add(1): open connection to the agent only after getopt()
>    processing has completed, to give options like "-v" a chance to
>    display debug information about this operation.
>
>  * crypto code: fix bounds checking when signing messages of length
>    greater than will fit in a size_t. In OpenSSH, message sizes are
>    bounded by SSHBUF_SIZE_MAX so this was unreachable.
>
>  * crypto code: add signature malleability and pubkey validity checks
>    to ed25519 verification. SSH doesn't depend on these properties
>
>  * crypto code: fix ECDSA order check for curves with cofactor != 1.
>    All supported EC curves have cofactor 1, so this was
>    unreachable.
>
>  * sshd(8): differentiate between execution failures and a subsystem
>    that was not found when logging why a subsystem failed to start.
>    GHPR637
>
>  * All: use safer idioms for timegm(3) and mktime(3) error detection.
>
>  * ssh(1), sshd(8): avoid accepting invalid cipher or MAC lists in
>    config files or command-line arguments. This could cause runtime
>    failures later.
>
>  * ssh(1): fix NULL deref crash during pubkey auth when using a PEM
>    style private key with no corresponding .pub key adjacent to it.
>
>  * sshd(8): don't print an error message when trying to load a host
>    private key when PKCS#11 keys are in use, as these don't need the
>    private half on the filesystem. GHPR664
>
>  * All: don't use deprecated ERR_load_crypto_strings(). GHPR650
>
>  * ssh(1): properly report errors during configuration default
>    setting. GHPR649
>
>  * ssh(1): use correct directive name (Match instead of Host) in
>    error message. bz3968
>
>  * sftp(1): fix "ls -ln" which was not correctly showing numeric
>    UID/GIDs but rather user and group names. bz3953
>
>  * sshd(8): avoid possible NULL dereference if an allocation fails
>    during config parsing. bz3948
>
>  * All: fix ineffective guards against loading overly large public
>    keys in several places. bz3969 and bz3970
>
>  * sftp(1): ensure file descriptors used by sftp to communicate to
>    its ssh(1) subprocess don't leak into executed subprocesses (e.g.
>    via "!"). GHPR693
>
> Portability
> -----------
>
>  * Sync fmt_scaled.c with OpenBSD upstream, picking up an exactness
>    fix for large exponents (GHPR671)
>
>  * sshd(8): remove duplicate sandbox entry for clock_gettime64.
>
>  * ssh(1), sshd(8): use correct IPTOS_DSCP_VA value if not provided
>    by the system headers.
>
>  * Sync getrrsetbyname.c with OpenBSD upstream, picking up robustness
>    fixes.
>
>  * Disable replacements in openbsd-compat for strvisx(3) and
>    stravis(3), as these are unused in OpenSSH
>
>  * Avoid fortify warnings on Android bz3954
>
>  * Fix a number of memory leaks on error paths in the portability
>    code. GHPR681
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list